summaryrefslogtreecommitdiff
path: root/source4/kdc/hdb-samba4.c
AgeCommit message (Collapse)AuthorFilesLines
2009-06-30s4:heimdal Allow KRB5_NT_ENTERPRISE names in all DB lookupsAndrew Bartlett1-0/+1
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail list user principal name) in an AS-REQ. Evidence from the wild (Win2k8 reportadely) indicates that this is instead valid for all types of requests. While this is now handled in heimdal/kdc/misc.c, a flag is now defined in Heimdal's hdb so that we can take over this handling in future (once we start using a system Heimdal, and if we find out there is more to be done here). Andrew Bartlett
2009-06-30s4:kdc Only get the lp_ctx once for a LDB_fetch()Andrew Bartlett1-11/+18
2009-06-30Rework hdb-samba4 to remove useless abstractions.Andrew Bartlett1-84/+44
The function LDB_lookup_principal() has been eliminated, and it's contents spread back to it's callers. Removing the abstraction makes the code clearer. Also ensure we never pass unescaped user input to a LDB search function. Andrew Bartlett
2009-06-18s4:kdc Allow a password change when the password is expiredAndrew Bartlett1-1/+12
This requires a rework on Heimdal's windc plugin layer, as we want full control over what tickets Heimdal will issue. (In particular, in case our requirements become more complex in future). The original problem was that Heimdal's check would permit the ticket, but Samba would then deny it, not knowing it was for kadmin/changepw Also (in hdb-samba4) be a bit more careful on what entries we will make the 'change_pw' service mark that this depends on. Andrew Bartlett
2009-06-12s4:heimdal: import lorikeet-heimdal-200906080040 (commit ↵Andrew Bartlett1-59/+52
904d0124b46eed7a8ad6e5b73e892ff34b6865ba) Also including the supporting changes required to pass make test A number of heimdal functions and constants have changed since we last imported a tree (for the better, but inconvenient for us). Andrew Bartlett
2009-06-04changed the auth path to use extended DN ops to avoid non-indexed searchesAndrew Tridgell1-27/+25
Logs showed that every SAM authentication was causing a non-indexed ldb search for member=XXX. This was previously indexed in Samba4, but since we switched to using the indexes from the full AD schema it now isn't. The fix is to use the extended DN operations to allow us to ask the server for the memberOf attribute instead, with with the SIDs attached to the result. This also means one less search on every authentication. The patch is made more complex by the fact that some common routines use the result of these user searches, so we had to update all searches that uses user_attrs and those common routines to make sure they all returned a ldb_message with a memberOf filled in and the SIDs attached.
2009-05-27Handle the krbtgt special case by looking for RID -514Andrew Bartlett1-26/+52
It turns out (seen in MS-SAMR 3.1.1.7.1 for example) that the primary way the krbtgt account is recognised as special is that RID. This should fix issues such as 'password expired' on the kpasswd service. Andrew Bartlett
2009-05-26Don't use crossRef records to find our own domainAndrew Bartlett1-138/+69
A single AD server can only host a single domain, so don't stuff about with looking up our crossRef record in the cn=Partitions container. We instead trust that lp_realm() and lp_workgroup() works correctly. Andrew Bartlett
2009-02-01s4:kdc: avoid c++ reserved word 'private'Stefan Metzmacher1-26/+26
metze
2008-12-29s4:lib/tevent: rename structsStefan Metzmacher1-1/+1
list="" list="$list event_context:tevent_context" list="$list fd_event:tevent_fd" list="$list timed_event:tevent_timer" for s in $list; do o=`echo $s | cut -d ':' -f1` n=`echo $s | cut -d ':' -f2` r=`git grep "struct $o" |cut -d ':' -f1 |sort -u` files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4` for f in $files; do cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp mv $f.tmp $f done done metze
2008-12-29s4:kdc: pass down event_context explicitStefan Metzmacher1-1/+1
metze
2008-10-18Add TALLOC_CTX pointer to strhex_to_data_blob for consistency with SambaJelmer Vernooij1-2/+1
3.
2008-10-11Fix include paths to new location of libutil.Jelmer Vernooij1-1/+1
2008-10-06Set default trust kvno to -1Andrew Bartlett1-1/+1
2008-10-06Fix cross-realm authentication in Samba4's KDC.Andrew Bartlett1-3/+5
2008-10-06Use the trust password version as kvno for trusts in Kerberos.Andrew Bartlett1-0/+7
2008-09-29Rename hdb_ldb to hdb_samba4 and load as a plugin into the kdc.Andrew Bartlett1-0/+1550
This avoids one more custom patch to the Heimdal code, and provides a more standard way to produce hdb plugins in future. I've renamed from hdb_ldb to hdb_samba4 as it really is not generic ldb. Andrew Bartlett